Switch Shield Support (DDoS Protection using Switch Capabilities)
05/06/2020 0 4253
This feature provides protection from a Denial of Service attacks that make the firewall too busy to provide service.This feature was introduced in the 18.104.22.168 feature release and available on all versions post that.
NOTE:This feature is supported on NSA 3600 through NSA 6600, NSa series, and SuperMassive series platforms. For the NSA 6600 and other platforms that do not have ports connected through the Broadcom switch (directly connected ports), this feature applies only to ports that are connected through the Broadcom switch (indirectly connected ports).
To enable Switch Shield protection:
Navigate to MANAGE I System Setup | Switching | Switch Shield.
Select the Switch Shield options to be enabled. To protect against:
IP packets in which the source IP equals the destination IP, select SIP = DIP for IPv4/IPv6 packets
TCP Syn fragmented packets, select TCP Syn Frag Packets
TCP packets without control flags or sequence, select TCP packets with control flags = 0 and sequence number = 0
TCP packets with FIN, URG, and PSH bits enabled and the sequence number equal to 0, select TCP packets with FIN, URG, and PSH bits set and sequence number = 0
TCP packets with SYN and FIN bits enabled, select TCP packets with SYN and FIN bits are set
TCP packets with the source port equal to the destination port, select TCP Source Port = TCP Destination Port
TCP packets with a partial (< 20 bytes) header, select First TCP fragment does not have the full TCP header (less than 20 bytes)
TCP header offset equal to 1, select TCP header has fragment offset value as 1
UDP packets with the source Port equal to the destination port, select UDP Source Port number = UDP Destination Port number